[
https://issues.apache.org/jira/browse/KNOX-2707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Magyar updated KNOX-2707:
--------------------------------
Description:
h2. Usage
This adds a more flexible way to map principals to groups than the existing
_group.principal.mapping_ in _CommonIdentityAssertionFilter_.
See the motivations behind this at
https://cwiki.apache.org/confluence/display/KNOX/KIP-16+-+Virtual+Groups+in+Apache+Knox
Example:
{code}
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>virtual.group.mapping.vgroup1</name>
<value>(or (username 'tom') (member 'analyst'))</value>
</param>
</provider>
{code}
General usage:
{code}
<name>virtual.group.mapping.VIRTUAL-GROUP-NAME</name>
<value>PREDICATE</value>
{code}
If the PREDICATE evaluates to true the user is added to VIRTUAL-GROUP-NAME.
There can be any number of virtual group mappings within the provider.
h2. Language Syntax
The predicate uses a parenthesized prefix notation language, similar to Lisp.
* Everything in the language is either an atom or a list
* A list is written with its elements separated by whitespace, and surrounded
by parentheses, like (or true false false)
* Lists can be nested to arbitrary level, like (or true (and false true))
* An atom is either a boolean (true/false), a string, a number or a symbol
(which denotes a functions name or a variable name).
* Strings are single-quoted which makes easier to embed the language into XML
or JSON.
* There is a one to one mapping between the textual syntax and the parser
generated AST. You can always infer the exact AST just by looking at the code.
>From this code the parses generates the following AST:
{code}
(or true (and false true))
{code}
{code}
[or, true, [and, false, true]]
{code}
This has exactly the same structure, but everything is converted to internal
Java representations. Lists are ArrayLists, booleans are java.lang.Boolean-s,
etc.
h2. Evaluation rules
* A literal atom evaluates to itself ('astring', 123).
* If an atom is a symbol (like _or_, _username_, _true_, _false_) then the
atom is looked up in a dictionary.
* The head of a list is the name of the function we're about to call. The rest
are the parameters. E.g.: (or true false)
* Before calling the function (1st item of the list) we evaluate the rest of
the list (recursively).
{code}
(= 0 (size groups))
^ ^ ^
| | |
func param1 param2
{code}
h2. Special forms
For some expressions the evaluation rule is slightly different. These are
called special forms. These are the _or_ and the _and_. To support
short-circuit evaluation, the parameters are not evaluated at the call site but
by the definition itself.
{code}
(or true (and true false))
^ ^ ^
| | |
func param1 param2
{code}
First we call the operator (or) then we let the operator decide which part to
evaluate. In the above example the _or_ will stop evaluating the expression
after it sees that the first argument is _true_.
was:
h2. Usage
This adds a more flexible way to map principals to groups than the existing
_group.principal.mapping_ in _CommonIdentityAssertionFilter_.
See the motivations behind this at
https://cwiki.apache.org/confluence/display/KNOX/KIP-16+-+Virtual+Groups+in+Apache+Knox
Example:
{code}
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>virtual.group.mapping.vgroup1</name>
<value>(or (username 'tom') (member 'analyst'))</value>
</param>
</provider>
{code}
General usage:
{code}
<name>virtual.group.mapping.VIRTUAL-GROUP-NAME</name>
<value>PREDICATE</value>
{code}
If the PREDICATE evaluates to true the user is added to VIRTUAL-GROUP-NAME.
There can be any number of virtual group mappings within the provider.
h2. Language Syntax
The predicate uses a parenthesized prefix notation language, similar to Lisp.
* Everything in the language is either an atom or a list
* A list is written with its elements separated by whitespace, and surrounded
by parentheses, like (or true false false)
* Lists can be nested to arbitrary level, like (or true (and false true))
* An atom is either a boolean (true/false), a string or a number.
* Strings are single-quoted which makes easier to embed the language into XML
or JSON.
* There is a one to one mapping between the textual syntax and the parser
generated AST. You can always infer the exact AST just by looking at the code.
>From this code the parses generates the following AST:
{code}
(or true (and false true))
{code}
{code}
[or, true, [and, false, true]]
{code}
h2. Evaluation rules
> Virtual Group Mapping Provider
> ------------------------------
>
> Key: KNOX-2707
> URL: https://issues.apache.org/jira/browse/KNOX-2707
> Project: Apache Knox
> Issue Type: New Feature
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> h2. Usage
> This adds a more flexible way to map principals to groups than the existing
> _group.principal.mapping_ in _CommonIdentityAssertionFilter_.
> See the motivations behind this at
> https://cwiki.apache.org/confluence/display/KNOX/KIP-16+-+Virtual+Groups+in+Apache+Knox
> Example:
> {code}
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> <param>
> <name>virtual.group.mapping.vgroup1</name>
> <value>(or (username 'tom') (member 'analyst'))</value>
> </param>
> </provider>
> {code}
> General usage:
> {code}
> <name>virtual.group.mapping.VIRTUAL-GROUP-NAME</name>
> <value>PREDICATE</value>
> {code}
> If the PREDICATE evaluates to true the user is added to VIRTUAL-GROUP-NAME.
> There can be any number of virtual group mappings within the provider.
> h2. Language Syntax
> The predicate uses a parenthesized prefix notation language, similar to Lisp.
> * Everything in the language is either an atom or a list
> * A list is written with its elements separated by whitespace, and surrounded
> by parentheses, like (or true false false)
> * Lists can be nested to arbitrary level, like (or true (and false true))
> * An atom is either a boolean (true/false), a string, a number or a symbol
> (which denotes a functions name or a variable name).
> * Strings are single-quoted which makes easier to embed the language into XML
> or JSON.
> * There is a one to one mapping between the textual syntax and the parser
> generated AST. You can always infer the exact AST just by looking at the code.
> From this code the parses generates the following AST:
> {code}
> (or true (and false true))
> {code}
> {code}
> [or, true, [and, false, true]]
> {code}
> This has exactly the same structure, but everything is converted to internal
> Java representations. Lists are ArrayLists, booleans are java.lang.Boolean-s,
> etc.
> h2. Evaluation rules
> * A literal atom evaluates to itself ('astring', 123).
> * If an atom is a symbol (like _or_, _username_, _true_, _false_) then the
> atom is looked up in a dictionary.
> * The head of a list is the name of the function we're about to call. The
> rest are the parameters. E.g.: (or true false)
> * Before calling the function (1st item of the list) we evaluate the rest of
> the list (recursively).
> {code}
> (= 0 (size groups))
> ^ ^ ^
> | | |
> func param1 param2
> {code}
> h2. Special forms
> For some expressions the evaluation rule is slightly different. These are
> called special forms. These are the _or_ and the _and_. To support
> short-circuit evaluation, the parameters are not evaluated at the call site
> but by the definition itself.
> {code}
> (or true (and true false))
> ^ ^ ^
> | | |
> func param1 param2
> {code}
> First we call the operator (or) then we let the operator decide which part to
> evaluate. In the above example the _or_ will stop evaluating the expression
> after it sees that the first argument is _true_.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
